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Intro 


* Cooper Quintin 
- Senior security researcher 
- Has a toddler (dad jokes) 
- Former teenage phone phreak 
° EFF 
- Member supported non profit 
- Defending civil liberties 
TRA years 
e Threat lab 
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Yomna! 


None of this research / 
would have been possible 
without her hard work. 
This is as much her project f 

as mine. 


Twitter: Orival elf 


Actual photo of Yomna 
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Technology that Targets At Risk People 


e Activists, human rights defenders, journalists, domestic 
abuse victims, immigrants, sex workers, minority 
groups, political dissidents, etc... 

* Goals of this technology 

Gather intelligence on opposition 
- Spy extraterritorially or illegally 
- Locate and capture 
— Extortion 
- Harass and intimidate 
- Stifle freedom of expression 
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Jeff Bezos Can Afford a Security Team 


Cybersecurity and AV 
companies care about the 
types of malware that affects 
their customers (usually 
enterprise.) 


We get to care about the 
types of technology the 
infringe on civil liberties and 
human rights of at risk 
people. 


This guy is not at risk. 
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Our Goals 


* Protect people 

* Broaden our communities" understanding of threats 
and defenses 

* Expose bad actors 

* Make better laws 
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Previous Project 


Stalkerware Dark Caracal 


COALITION AGAINST fo 


STALKERWARE 
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What We are Going to Talk About Today 


* Cell-site simulators AKA Stingrays or IMSI Catchers 
* How they work 

* Previous efforts to detect them 

* Anew method to detect them 

* Howto fix the problem 
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Cell Technology Overview 


* UE- The phone - User Equipment 

e IMSI - International Mobile Subscriber ID - ID for the 
SIM card 

e IMEI- International Mobile Equipment ID - ID for the 
hardware 

* eNodeB - Base station, what the UE is actually 
communicating with. 

* EARFCN - The frequency a UE/EnodeB is transmitting on 

* Sector- A specific antenna on the base station 
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Cell Technology Overview 


* MIB - Master Information block, broadcast by the 
enodeb and tells where to find the SIB 

e SIB - System information block, contains details about 
the enodeb 

* MCC/MNC/TAC - Mobile Country Code, Mobile 
Network Code, Tracking Area Code 

° PLMN = MCC + MNC, Public Land Mobile Network 
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Cell Technology Overview 


IMSI catcher, Stingray, Hailstorm, fake base station == 
cell-site simulator (CSS) 


This is acronym hell and I'm sorry. 


ELECTRONIC 
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FOUNDATION 


Cell Technology Overview 


eNodeB 


Serving PDN 
Gateway Gateway 
(S-GW) (P-GW) 
eNodeB 
E-UTRAN Enhanced Packet Core (EPC 


IP Networks 
-IMS 
-Internet 


-Apps 
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Stingray 


INTERNAL 
CONTROLLER 


10/100 usa 
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What Changed Between 2G and 4G 


e eNodeB and UE mutually authenticate 
Better encryption between eNodeB and UE 
No longer naively connect to the strongest tower 
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How do 4G CSS Work 


e What are the vulns next 
À ND 888 gen CSS are taking 
ee advantage of? 
* Pre authentication 
handshake attacks 


* Downgrade attacks 


Gotta catch em all whitepaper by Yomna 
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Pre-Authentication Vulnerabilities 


* 4G has a glass jaw 

* Even though the UE authenticates the tower there are 
still several messages that it sends, receives, and trusts 
before authentication happens or w/o authentication 

* This is the weak spot in which the vast majority of 4G 
attacks happen 
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Base Station MME/AMF 
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Frame Synchronization 
MIB (2) 
(3) 


rrc connection request 


rrc connection setu (5) 


rrc connection setup complete 


(6) 


attach request 


attach complete 


ELECTRONIC 
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Base Station MME/AMF 


Here 
“there be 
dragons 


attach accept 
o attach complete pe] 


Insecure Connection Bootstrapping in Cellular Networks:The Root of All Evil - 


PI. PA سج چو‎ POWER TUE 
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How Often are CSS Being Used 


* |CE/DHS - hundreds of times per year 


= https://www.aclu.org/news/immigrants-rights/ice-records-confirm 
-that-immigration-enforcement-agencies-are-using-invasive-cell-p 
none-survelllance-devices/ 
* Local law enforcement 
- Oakland - 1-3 times per year 


nttps://oaklandprivacy.org/oakland-privacy-sues-vallejo/ 
— Santa Barbara PD - 231 times in 2017 


https //www.eff.org/deeplinks/2019/05/eff-asks-san-bernardino-court-rev 
iew-device-search-and-cell-site-simulator 
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How Often are CSS Being Used 


* Foreign Spies 
zX |MSI Catchers in DC 
* Cyber Mercenaries 
- NSO Group 
nttps://www.amnestyusa.org/wp-content/uploads/2020/06/Moro 
cco-NSO-Group-report.pdf 
e Criminals 
۔‎ https//venturebeat.com/2014/09/1 8/the-cell-tower-mystery-grip 
ping-america-has-now-been-solved-or-has-it/ 
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Previous Efforts to Detect CSS 


App Based Strengths 
° AIMSICD * Cheap 
e Snoop Snitch * Easy to use 
e Darshark 
Weaknesses 


* Limited data 
* Lots of false positives 
* False negatives? 
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Previous Efforts to Detect CSS 


Radio Based Strengths 
。 Seaglass * Better data 
e SITCH * Lower level information 
* Overwatch Weaknesses 
* Harder to set up, use, 
interpret 


e Cost of hardware 
e Can't transmit 
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Previous Efforts to Detect CSS 
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Can we detect 4G IMSI Catchers? 


* How can we improve on previous attempts 
- Lower level data 
- See all towers not just what we are connecting to 
- Compare that data over time 
- Lookat 4G antennas! 
- Verify results! 
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Introducing Crocodile Hunter 


ILE HUNTER 
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Crocodile Hunter Software Stack 


* Backend based on SRSLTE 
- Open source LTE software stack 
- Written in C++ 
- Communicates with frontend over a local socket 
e Python for heuristics, database and frontend 
- Get data from socket 
- Add it to database 
-. Run heuristics 
- Display tower locations 
e API for sharing data 
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Crocodile Hunter Tools ~ Cells Enodebs Combined 


ات 


Map Satellite 


ai Technologies 


Xero Y A 
Jessie.Square 
E 


9 Downtown Center 


roll Ea dl 


Moscone West 


eNodeb 


: Moscone'Cente! 


0-0 985.8246687893076 1 


Defcon Safe Mode // Aug 2020 


Project: dreamforce 
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Map data ©2020 Google _ Terms of Use Report a map error 


spicious % First Seen 


100% 2019-11-21 12:34:48 2019-11-21 14:25:25 
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Crocodile Hunter Hardware Stack 


* Laptop / Raspberry Pi 

* USB GPS Dongle 

e SDR compatible with SRSLTE: BladeRF, Ettus B200 
o LTE Antennas 

* (Battery for Pi) 
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Crocodile Hunter Hardware Stack 
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Workflow 


1. Decode MIB and SIB1 for all the cells that we can see 
and record them. 

Map the probable location of cells 

Look for anomalies in the readings 

Locate suspicious cells and confirm results 
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Decode MIB and SIB1 


SRSLTE scans a list of EARFCNS 
If we find a mib we decode mib and sib and send over socket 
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Calculating suspiciousness for «Tower: 0-0-0-0, loc: 37.7175,-122.139, time: 2020-07-13 15:10:56, freq: 731.5» 
RUNNING US CENTRIC HEURISTICS; THIS WILL RESULT IN FALSE POSITIVES IF YOU ARE NOT IN THE US 
Found 7 towers a total of 342 times 
opencellid location ('status': 'ok', 'balance': 4992, 'lat': 37.71749319, 'lon': -122.13906204, 'accuracy': 92) 
Adding a new tower: «Tower: 310- 260-16763-83519.0, loc: 37.71749319,-122.13906204, time: 2020-07-13 15:11:06, freq: 731.5» 
Calculating suspiciousness for «Tower: 310-260-16763-83519, loc: 37.7175,-122.139, time: 2020-07-13 15:11:06, freq: 731.5» 
RUNNING US CENTRIC HEURISTICS; THIS WILL RESULT IN FALSE POSITIVES IF YOU ARE NOT IN THE US 
Found towers a total of 343 times 
opencellid location {'status': 'ok', 'balance': 4991, 'lat': 37.71749319, 'lon': -122.13906204, 'accuracy': 92} 
Adding a new tower: «Tower: : 310-269-16763-83519.0. loc: 37.71749319,-122.13906204, time: 2020-07-13 15:11:12, freg: 731.5> 
Calculating suspiciousness for <Tower: 310-260-16763-83519, loc: 37.7175,-122.139, time: 2020-07-13 15:11:12, freq: 731.5> 
RUNNING US E HEURISTICS; THIS WILL RESULT IN FALSE POSITIVES IF YOU ARE NOT IN THE US 
Found towers a total of 14 time 
opencellid ieee ('status': 'ok', 'balance': 4990, 'lat': 37.71749319, 'lon': -122.13906204, 'accuracy': 92} 
Adding a new tower: «Tower: i loc: 37.71749319,-122.13906204, time: 2020-07-13 15:11:17, freq: 731.5> 
Calculating suspiciousness for <Tower: 310-260-16763-83519, loc: 37.7175,-122.139, time: 2020-07-13 15:11:17, freq: 731.5> 
RUNNING US CENTRIC HEURISTICS; THIS WILL RESULT IN FALSE POSITIVES IF YOU ARE NOT IN THE US 
Found 7 towel total of 4 times 
opencellid location {'status': 'ok', 'balance': 4989, 'lat': 37.71753303, 'lon': -122.1390516, 'accuracy': 96} 
Adding a new tower: <Tower: ala loc: 37.71753303,-122.1390516, time: 2020-07-13 15:11:38, freq: 731.5> 
Calculating suspiciousness for <Tower: 310-260-16763-83519, loc: 37.7175,-122.139, time: 2020-07-13 15:11:38, freq: 731.5> 
RUNNING US CENTRIC HEURISTICS; THIS WILL RESULT IN FALSE POSITIVES IF YOU ARE NOT IN THE US 
Found 7 towers a total of 346 times 
opencellid location {'status': 'ok', 'balance': 4988, 'lat': 37.71753303, 'lon': -122.1390516, 'accuracy': 96} 
Adding a new tower: «Tower: 310-260-16763-83519.0, loc: 37.71753303,-122.1390516, time: 2020-07-13 15:11:51, freq: 731.5» 
Calculating suspiciousness for «Tower: 310-260-16763-83519, loc: 37.7175,-122.139, time: 2020-07-13 15:11:51, freq: 731.5» 
RUNNING US CENTRIC HEURISTICS; THIS WILL RESULT IN FALSE POSITIVES IF YOU ARE NOT IN THE US 


Database 


iaDB [dreamforce]> describe tower_data; 


| classification | enum('unknown','legitimate','small_cell','suspicious','CSS') 
| external_db | enum('not_present','unknown','wigle','opencellid') 
ایدو یی شرب ای‎ etti مہب می شس ا کشم سی‎ scorciatoia perio ر اک‎ ria ttis tres ttn iati 


| Field | Type | 
| id | int(11) | 
| mec | int(11) | 
| mnc | int(11) | 
| tac | int(11) | 
| cid | int(11) | 
| phyid | int(11) | 
| earfcn | int(11) | 
| lat | float | 
| lon | float | 
| timestamp | datetime | 
| rssi | float | 
| suspiciousness | int(11) | 
| frequency | float | 
| enodeb_id | int (11) | 
| sector_id | int(11) | 
| cfo | float | 
| rsrq | float | 
| snr | float | 
| rsrp | float | 
| | float | 
| est_dist | float | 
| raw sibl | varchar(255) : 

| 
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Mapping out antennas in real time 


* Using trilateration and distance estimates we can 
figure out where all the towers are 

* Compare this to a ground truth such as wigle or 
opencellid 


ELECTRONIC 
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Trilateration vs Triangulation 


Trilateration Triangulation (Bearing) 
L= RINR:MNRs L= 8:8: 


TRILATERATION 
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Looking for Anomalies 


* Cells moving 

* Cells that change signal strength 

* Cells that aren't where they should be 

* Cells changing parameters 

* Cells missing parameters 

e New cells 

e Anomaly != CSS, that's why we have to verify 
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Why Don't we Transmit? 


y 
Wait. Ths illegal. 


ELECTRONIC 
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What we Found so Far 


Cell on wheels at Dreamforce 


PCELNSITESIMUIATORS ARENT 
7 MALWAYS}THIS | yu | 


» Signa Wire 
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THAT'S WHY WE HAVE 
CROCODILE HUNTER 
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What we Found so Far 


Suspicious eNodeBs in Washington DC 


653671 350-490 None 


653671 310-410 None 


654486 


654538 


654794 308-451 


654794 310-410 
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Washington DC 


est_dist external_db mcc} mnc phyid rsrp rsrq rssi sid 


58.4614 7.31153 -14.3092 


Unknown -21.4078 167 -2.52688 


0.507082 Not_Present 1955.0 -4.16847 -12.1525 -32.1733| 125 |2.92086 


38.2501 Not Present 739.0 8.35644 -12.9575 -23.3778| 133 7 


earfcn est dist. external db Mhz mccf mnc phyid rsrp rsrq rssi sid) {snr 


850 0.662138 Wigle 1955.0 308 451 419 3.12503 -16.4038 -27.0273 10 -0.58374 


850 2.69926 Wigle 1955.0 310 410 419 4.28062 -13.3471 -27.7592 10 | 5 0 466 


850 1.55341  Wigle 310 410 419 3.49412 -15.6305 -26.3221 10 -1.20262 0 


466 
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Ongoing Tests 
* Latin America (FADe Project) 
° DC 
° NYC 


o Your hometown (coming soon...) 
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Future Work 


* Better heuristics 

* Better location finding 

* Machine learning for detection of anomalies 
* Port to cheaper hardware 
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What's With the Name? 


Press F to pay respects to Steve 
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How Can we Stop Cell-Site Simulators 


* End 2G support on iOS and Android now! 


- - https;//www.eff.org/deeplinks/2020/06/your-phone-vulnerable-be 
cause-2g-it-doesnt-have-be 
* Eliminate pre-authentication messages 
- [LS for the handshake with towers 
* More incentives for standards orgs (3GPP), carriers, 
manufacturers, and OEMs to care about user privacy 
* Nothing is foolproof but we aren't even doing the bare 
minimum yet. 
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Key Takeaways 


* We have a pretty good understanding the vulns in 4G 
which commercial cell-site simulators might exploit 

* None of the previous IMSI catcher detector apps really 
do the job any more. 

* We have come up with a method similar to established 
methods but targeting 4G. 

* The worst problems of CSS abuse can be solved! 
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Thanks to the following people 


* Yomna! 

o The whole EFF crew 

o Andy and Bob at Wigle 

* Roger Piqueras-Jover 

* Nima Fatemi with Kandoo, Surya Mattu, Simon 

* Carlos and the FADE Project 

* Karl Kosher, Peter Ney, and others at UW (SEAGLASS) 

e Ash wilson (SITCH) and Eric Escobar (Defcon Justice 
Beaver) 

* Kristin Paget 


Thank you! 


Cooper Quintin 
Senior Security Researcher 
EFF Threat Lab 


cooperq@eff.org - twitter: @cooperg 
Nttps://github.com/efforg/crocodilehunter 
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